diff options
author | Guilhem Moulin <guilhem@fripost.org> | 2024-09-25 19:18:15 +0200 |
---|---|---|
committer | Guilhem Moulin <guilhem@fripost.org> | 2024-09-25 21:44:41 +0200 |
commit | f0feb7c74ca2252ef2513da12fc85be9684a54b4 (patch) | |
tree | 301152d43426ab8f242ab835fdc04e6f3ba21196 /files/etc/systemd/system | |
parent | 5f9605745f4f8e59d5aba78da18b8a50bc4a5d88 (diff) |
Copy webmap-publish.
We also replace persistent/shared RuntimeDirectory settings with
directories defined as tmpfiles.d(5) entries. This gives more control
over access control.
We also change static compression from gzip to brotli on the HTTPd.
Diffstat (limited to 'files/etc/systemd/system')
-rw-r--r-- | files/etc/systemd/system/webmap-download@.service | 6 | ||||
-rw-r--r-- | files/etc/systemd/system/webmap-import@.service | 6 | ||||
-rw-r--r-- | files/etc/systemd/system/webmap-publish@.service | 40 |
3 files changed, 44 insertions, 8 deletions
diff --git a/files/etc/systemd/system/webmap-download@.service b/files/etc/systemd/system/webmap-download@.service index c0e826f..2c5a3e4 100644 --- a/files/etc/systemd/system/webmap-download@.service +++ b/files/etc/systemd/system/webmap-download@.service @@ -16,14 +16,11 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-download \ --cachedir=/var/cache/webmap \ - --lockdir=%t/webmap-download \ + --lockdir=%t/lock/webmap/download \ --no-exit-code \ --quiet \ -- %I -RuntimeDirectory=webmap-download -RuntimeDirectoryPreserve=yes - # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -34,6 +31,7 @@ ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 ReadWritePaths=/var/cache/webmap +ReadWritePaths=%t/lock/webmap/download [Install] WantedBy=webmap-update@%i.target diff --git a/files/etc/systemd/system/webmap-import@.service b/files/etc/systemd/system/webmap-import@.service index 540e7de..06d204c 100644 --- a/files/etc/systemd/system/webmap-import@.service +++ b/files/etc/systemd/system/webmap-import@.service @@ -20,12 +20,9 @@ IOSchedulingClass=idle Type=oneshot ExecStart=/usr/local/bin/webmap-import \ --cachedir=/var/cache/webmap \ - --lockfile=%t/webmap/lock \ + --lockfile=%t/lock/webmap/lock \ -- %I -RuntimeDirectory=webmap -RuntimeDirectoryPreserve=yes - # Hardening NoNewPrivileges=yes ProtectHome=yes @@ -35,6 +32,7 @@ ProtectControlGroups=yes ProtectKernelModules=yes ProtectKernelTunables=yes RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=%t/lock/webmap PrivateTmp=yes [Install] diff --git a/files/etc/systemd/system/webmap-publish@.service b/files/etc/systemd/system/webmap-publish@.service new file mode 100644 index 0000000..e2f8e6b --- /dev/null +++ b/files/etc/systemd/system/webmap-publish@.service @@ -0,0 +1,40 @@ +[Unit] +Description=Webmap updater service (publish %I as MVT) +#After=postgresql.service webmap-update@%i.target +#After=webmap-download@%i.service +#After=webmap-import@%i.service +#Upholds=webmap-update@%i.target + +[Service] +User=_webmap-publish +Group=_webmap + +Nice=15 +IOSchedulingClass=idle + +Type=oneshot +ExecStart=/usr/local/bin/webmap-publish \ + --lockfile=%t/lock/webmap/lock \ + --destdir=/var/www/webmap/tiles/%i \ + --name=%I \ + --webroot=/var/www/webmap \ + --metadata=/var/www/webmap/tiles/metadata.json \ + --metadata-lockfile=%t/lock/webmap/tiles.lock \ + --compress \ + -- %I + +# Hardening +NoNewPrivileges=yes +ProtectHome=yes +ProtectSystem=strict +PrivateDevices=yes +ProtectControlGroups=yes +ProtectKernelModules=yes +ProtectKernelTunables=yes +RestrictAddressFamilies=AF_UNIX AF_INET AF_INET6 +ReadWritePaths=/var/www/webmap/tiles +ReadWritePaths=%t/lock/webmap +PrivateTmp=yes + +#[Install] +#WantedBy=webmap-update@%i.target |